Today’s distributed denial of service (DDoS) attacks are almost unrecognizable from the early days of attacks, when most were simple, volumetric attacks intended to cause embarrassment and brief disruption. The motives behind attacks are increasingly unclear, the techniques are becoming ever-more complex and the frequency of attacks is growing exponentially. This is particularly true in light of automated attacks, which allow attackers to switch vectors faster than any human or traditional IT security solution can respond.
The combination of the size, frequency and duration of modern attacks represent a serious security and availability challenge for any online organization. Minutes or even tens of minutes of downtime or latency significantly impacts the delivery of essential services. When you combine these factors, victims are faced with a significant security and service availability challenge. Below are seven do’s and don’ts to ensure that your network is protected from DDoS attacks.
- Document your DDoS resiliency plan. These resiliency plans should include the technical competencies, as well as a comprehensive plan that outlines how to continue business operations under the stress of a successful denial of service attack. An incident response team should establish and document methods of communication with the business, including key decision makers across all branches of the organization to ensure key stakeholders are notified and consulted accordingly.
- Recognize DDoS attack activity. Large, high-volume DDoS attacks are not the only form of DDoS activity. Short duration, low-volume attacks are commonly launched by hackers to stress test your network and find security vulnerabilities within your security perimeter. Understand your network traffic patterns and look to DDoS attack protection solutions that identify DDoS attack traffic in real-time, and immediately remove large and small DDoS attacks.
- Don’t assume that only large-scale, volumetric attacks are the problem. DDoS attackers are getting more sophisticated; their objective is not only to cripple a website, but rather to distract IT security staff with a low-bandwidth, sub-saturating DDoS attack that is a smokescreen for more nefarious network infiltrations, such as ransomware. Such attacks typically are short duration (under 5 minutes) and volume, which means that they can easily slip under the radar without being detected or mitigated by a traffic monitor, or even some DDoS protection systems.
- Don’t rely on traffic monitoring or thresholds. Sure, you can notice when traffic spikes, but will you be able to distinguish between good traffic and bad traffic? And what would you do if you did see a spike? Could you block out only the bad traffic, or would your network resources be overwhelmed anyway? Monitoring your traffic and setting threshold limits is not a form of protection, especially if you consider that small, sub-saturating attacks often go unnoticed by threshold triggers.
- Don’t rely on an IPS or firewall. Neither an intrusion prevention system (IPS) nor a firewall will protect you. Even a firewall that claims to have anti-DDoS capabilities built-in has only one method of blocking attacks: the usage of indiscriminate thresholds. When the threshold limit is reached, every application and every user using that port gets blocked, causing an outage. Attackers know this is an effective way to block the good users along with the attackers. Because network and application availability is affected, the end goal of denial of service is achieved.
- Engage with a mitigation provider. Today many ISPs offer DDoS protection plans, either as a value-added service or a premium service. Find out whether your ISP offers free or paid DDoS protection plans. But contact your ISP long before you are attacked; if you don’t have DDoS protection in place and are already under attack, your ISP probably cannot immediately sign you up then block the DDoS traffic to your site. Alternatively, you could purchase an on-premises or virtual DDoS protection product. DDoS protection comes with diverse deployment possibilities; via an on-premises anti-DDoS appliance, or a virtual machine (VM) instance. Be sure to look for rich, real-time DDoS security event analytics and reporting along with automatic mitigation.
- Pair time-to-mitigation with successful attack protection. As you develop your resiliency plan and choose a method of DDoS protection, time-to-mitigation must be a critical factor in your decision-making process. Bear in mind that DDoS mitigation services can be a useful adjunct to an automated DDoS mitigation solution. However, a mitigation service alone is insufficient because 1) before a service is engaged, someone or something—a computer or human—must detect a DDoS attack in progress, and 2) it takes 20-30 minutes to redirect the “bad” traffic, thus allowing more nefarious security breaches to occur during that time. In the face of a DDoS attack, time is of the essence. Whether waiting a few minutes, tens of minutes, or even more time for a DDoS attack to be mitigated is not sufficient to ensure service availability or security.
Corero has been a leader in modern DDoS protection solutions for over a decade; to learn how you can protect your company, contact us.